Banking Criminals Zero in on Cellphones

NEW YORK (MainStreet)Plain facts: more of us are doing a lot more reading of email, surfing of web pages and clicking on text messages on smartphones than ever before - duh. Obvious of course.

What is not so obvious is that cybercriminals are connecting the dots, and they are zeroing in on the heightened vulnerabilities that come with reading on a small screen that can be downright peculiar in how legibly it shows text in lighting that is less than perfect.

When we use cellphones we become perfect marks for criminals who want us to click on their malicious links and trick us into giving away our log in credentials to mobile banking.

The proof: a report from security firm Trend Micro claims that in 2012 it found some 4,000 phishing URLs designed for the mobile web, meaning links to malicious websites optimized for mobile devices.

The report continued: "What's more worrisome is the kind of websites these phishing attacks spoof. In 2012, 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim's account."

Heading the parade of imitated sites were PayPal, Wells Fargo, Bank of America and several foreign banks (such as Absa in South Africa).

"Mobile is the new treasure trove for cyber criminals," said J.D. Sherry, a vice president at Trend Micro. He said the number of mobile focused attacks has been soaring.

There is a reason for this, or maybe two.

Most of us have been thoroughly trained - ad nauseum - to not click on suspicious links in email (ones promising details on payoffs on a big U.K. lottery, for instance), and we also have gotten good at eyeballing email addresses to check if that email about an expected deposit was in fact sent from a valid Chase address - or something from the Ukraine.

All that - involving close eyeballing of text - is just so much harder to do on a smartphone with its small, dim screen. Thus we are much more susceptible to clicking, and the bad guys know this. "Mobile users are three times more likely to fall for a phishing email than an online user," Said George Tubin, a consultant with security firm Trusteer.

He added, "We absolutely are seeing an increase in fraudulent banking websites," that is, sites concocted to look like, say, Bank of America's - right down to using stolen logos and art - but probably a user on a big screen would notice the site seemed off and would quickly click away.

With mobile, it's game on, however, and "once you give up your credentials, the criminal can access your real accounts," said Tubin.

Another, emerging smartphone threat is "SMiShing" -- using SMS messages as bait -- related David Lindner, an executive with Aspect Security. He described in detail how this works: "Users receive what appear to be a legitimate SMS message from a bank, containing a link. Once the link is clicked, an application, that appears like those from the Google Play store, is installed.....The 'newer' version will request ridiculous security permissions such as directly calling numbers and sending SMS messages."

That particular scam only works on Android phones, but for iPhone users, the bait is a link in SMS that takes them to a spoofed website where they are urged to log in with their banking username and password.

In both cases nothing happens until we click on a link. But that last is the easy part. Because most SMS comes from family and friends, we are accustomed to safely clicking on all links, so why not this one?

Which brings us to the second reason for an explosion in mobile phone based cyber fraud: the vast majority of users have not yet accepted the idea that iPhones and Android phones are powerful, tiny computers that can do much of what can be done on desktop computers.

Cyber criminals get that, and they know if they gain control of a smartphone user's phone, it is every bit as good as gaining control of that person's computer.